FHIR Chat · SMART Launch from an EPIC webview · implementers

Stream: implementers

Topic: SMART Launch from an EPIC webview

view this post on Zulip Abdulhakim Tlimat (Mar 03 2018 at 02:57):

Dear All,

Trying to embed a SMART on FHIR app into a webview activity in EPIC. It's gonna be a provider facing app that only have access to one patient record only. In this page http://docs.smarthealthit.org/authorization/scopes-and-launch-context/ under "Apps that launch from the EHR" it says that i should launch using a query param launch=abc123 and keep using that same parameter value on all API calls and transactions. Points that are still not clear:

1. Should I exchange that for a token and use it in Bearer method auth?
2. Where do I get that unique launch token, how do I link that launch token to only allow access to one patient record. Can that be established from EPIC's Interconnect server that is the FHIR endpoint?

Would greatly appreciate some help on this as this is the only remaining problem that I am facing.

Thanks

view this post on Zulip Josh Mandel (Mar 03 2018 at 13:03):

Epic acts as a SMART on FHIR server, and can be configured to launch your app within an embedded browser when a specific menu item or button is clicked. @Isaac Vetter or @Danielle Friend should be able to point you in the right direction for working with an Epic site to set this up.

view this post on Zulip Abdulhakim Tlimat (Mar 03 2018 at 19:04):

Thank you very much @Josh Mandel . I think I am completely clear now on #1. Still not sure about #2 in previous post on how to create that unique launch token that the OAuth 2.0 server should also be aware of. Would really appreciate any help from @Isaac Vetter or @Danielle Friend .

view this post on Zulip Isaac Vetter (Mar 09 2018 at 19:13):

Hey @Abdulhakim Tlimat ! Looks like I'm late to the conversation, catching up from this week.

1) There's some Epic configuration required that causes the launch token to be generated when the app is launched from the EHR. Documentation for this configuration is available to customer analysts in our documentation portal. Who can I point to that documentation to aid this implementation?
2) The access_token resulting from the OAuth handshake grants the app access to particular data that's limited by two things: (a) the permissions of the user authorizing the app (in this case the provider) and (b) the FHIR resources that the app registered during the client creation process.
3) Mind if I ask in which healthsystem you're implementing this? That will allow me to loop in the Epic support team for that customer to assist.

The Epic SMART implementation does not limit a provider-facing access_token to only the current patient from whose chart the app was launched (you get a user/ scope, not a patient/ scope). Rather, your app/acess_token can query data across patients based upon the user's access rights.

I feel like I used too many words to explain that. Does the above make sense?

Isaac

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -